Kubernetes實錄系列記錄文檔完整目錄參考: Kubernetes實錄-目錄
相關記錄鏈接地址 :
一、Harbor鏡像倉庫環境
主機名稱 | ip地址 | 操作系統 | 角色 | 軟件版本 | 備註 |
---|---|---|---|---|---|
k8sproxy-hzbatst-1 | 10.120.67.25 | CentOS 7.5 | proxy, registry | haproxy docker-ce 18.06.1 docker-compose 1.22.0 harbor 1.6.1 |
Harbor服務的搭建文檔參考Kubernetes初體驗(1) 配置企業級鏡像倉庫Harbor
二、harbor與kubernetes集成
1. 自簽發證書在kubernetes節點上的配置[所有節點]
# harbor節點上
cp /opt/app/harbor/certs/harbor.example.com.crt /etc/pki/ca-trust/source/anchors/ca.crt
# 在kubernetes節點,也就是harbor的client端執行
mkdir -p /etc/docker/certs.d/harbor.ejuops.com
# 將自簽發根證書信息拷貝到kubernetes節點,也就是harbor的client端
scp /opt/app/harbor/certs/harbor.ejuops.com.crt 10.120.67.26:/etc/pki/ca-trust/source/anchors/ca.crt
scp /opt/app/harbor/certs/harbor.ejuops.com.crt 10.120.67.27:/etc/pki/ca-trust/source/anchors/ca.crt
scp /opt/app/harbor/certs/harbor.ejuops.com.crt 10.120.67.28:/etc/pki/ca-trust/source/anchors/ca.crt
scp /opt/app/harbor/certs/harbor.ejuops.com.crt 10.120.67.29:/etc/pki/ca-trust/source/anchors/ca.crt
scp /opt/app/harbor/certs/harbor.ejuops.com.crt 10.120.67.30:/etc/pki/ca-trust/source/anchors/ca.crt
scp /opt/app/harbor/certs/harbor.ejuops.com.crt 10.120.67.31:/etc/pki/ca-trust/source/anchors/ca.crt
scp /opt/app/harbor/certs/harbor.ejuops.com.crt 10.120.67.26:/etc/docker/certs.d/harbor.ejuops.com/ca.crt
scp /opt/app/harbor/certs/harbor.ejuops.com.crt 10.120.67.27:/etc/docker/certs.d/harbor.ejuops.com/ca.crt
scp /opt/app/harbor/certs/harbor.ejuops.com.crt 10.120.67.28:/etc/docker/certs.d/harbor.ejuops.com/ca.crt
scp /opt/app/harbor/certs/harbor.ejuops.com.crt 10.120.67.29:/etc/docker/certs.d/harbor.ejuops.com/ca.crt
scp /opt/app/harbor/certs/harbor.ejuops.com.crt 10.120.67.30:/etc/docker/certs.d/harbor.ejuops.com/ca.crt
scp /opt/app/harbor/certs/harbor.ejuops.com.crt 10.120.67.31:/etc/docker/certs.d/harbor.ejuops.com/ca.crt
2. 配置secret保存harbor(registry)認證信息
保證相關namespace已經創建
# cat ns_eju-test.yaml
apiVersion: v1
kind: Namespace
metadata:
name: eju-test
kubectl apply -f ns_eju-test.yaml
kubectl get ns
創建secret保存harbor登錄認證信息
kubectl create secret docker-registry harbor-test --namespace=eju-test \
--docker-server=harbor.example.com --docker-username='eju_test_visitor' \
--docker-password='EJU@test1234' \
--docker-email='[email protected]'
kubectl get secret -n eju-test
harbor-test kubernetes.io/dockerconfigjson 1 73m
3. 測試鏡像拉取(yaml)
# 確保harbor裏面已經有相關鏡像
docker push nginx:1.14
docker tag nginx:1.14 harbor.example.com/eju-test/nginx:1.14
docker pull harbor.example.com/eju-test/nginx:1.14
# cat app_nginx.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
run: nginx-app
name: nginx-app
namespace: eju-test
spec:
replicas: 1
selector:
matchLabels:
run: nginx-app
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
labels:
run: nginx-app
spec:
containers:
- name: nginx-app
image: harbor.ejuops.com/eju-test/nginx:1.14
ports:
- containerPort: 80
protocol: TCP
dnsPolicy: ClusterFirst
restartPolicy: Always
imagePullSecrets:
- name: harbor-test
kubectl apply -f app_nginx.yaml
kubectl get pod -n eju-test -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE
nginx-app-888548bb4-zhxwk 1/1 Running 0 18m 192.168.3.15 k8snode-hzbatst-1 <none>
curl 192.168.3.15
... ..
<h1>Welcome to nginx!</h1>